Session helpers

Session helpers

The FortiOS firewall can analyze most TCP/IP protocol traffic by comparing packet header information to security policies. This comparison determines whether to accept or deny the packet and the session that the packet belongs to.

Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. For example, the SIP VoIP protocol uses TCP control packets with a standard destination port to set up SIP calls. But the packets that carry the actual conversation can use a variety of UDP protocols with a variety of source and destination port numbers. The information about the protocols and port numbers used for a SIP call is contained in the body of the SIP TCP control packets. To successfully process SIP VoIP calls, FortiOS must be able to extract information from the body of the SIP packet and use this information to allow the voice-carrying packets through the firewall.

FortiOS uses session helpers to analyze the data in the packet bodies of some protocols and adjust the firewall to allow those protocols to send packets through the firewall.

This section includes the topics:

Viewing the session helper configuration
Changing the session helper configuration
DCE-RPC session helper (dcerpc)
DNS session helpers (dns-tcp and dns-udp)
File transfer protocol (FTP) session helper (ftp)
H.245 session helpers (h245I and h245O)
H.323 and RAS session helpers (h323 and ras)
Media Gateway Controller Protocol (MGCP) session helper (mgcp)
ONC-RPC portmapper session helper (pmap)
PPTP session helper for PPTP traffic (pptp)
Remote shell session helper (rsh)
Real-Time Streaming Protocol (RTSP) session helper (rtsp)
Session Initiation Protocol (SIP) session helper (sip)
Trivial File Transfer Protocol (TFTP) session helper (tftp)
Oracle TNS listener session helper (tns)

Viewing the session helper configuration

You can view the session helpers enabled on your FortiGate unit in the CLI using the commands below. The following output shows the first two session helpers. The number of session helpers can vary to around 20.

show system session-helper config system session-helper

edit 1

set name pptp

set port 1723 set protocol 6

set name h323 set port 1720 set protocol 6

end

The configuration for each session helper includes the name of the session helper and the port and protocol number on which the session helper listens for sessions. Session helpers listed on protocol number 6 (TCP) or 17 (UDP). For a complete list of protocol numbers see Assigned Internet Protocol Numbers.

For example, the output above shows that FortiOS listens for PPTP packets on TCP port 1723 and H.323 packets on port TCP port 1720.

If a session helper listens on more than one port or protocol the more than one entry for the session helper appears in the config system session-helper list. For example, the pmap session helper appears twice because it listens on TCP port 111 and UDP port 111. The rsh session helper appears twice because it listens on TCP ports 514 and 512.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

L2TP configuration overview

Leave a reply

L2TP configuration overview

To configure a FortiGate unit to act as an LNS, you perform the following tasks:

Create an L2TP user group containing one user for each remote client.
Enable L2TP on the FortiGate unit and specify the range of addresses that can be assigned to remote clients when they connect.
Define firewall source and destination addresses to indicate where packets transported through the L2TP tunnel will originate and be delivered.
Create the security policy and define the scope of permitted services between the source and destination addresses.
Configure the remote clients.

Authenticating L2TP clients

L2TP clients must be authenticated before a tunnel is established. The authentication process relies on FortiGate user group definitions, which can optionally use established authentication mechanisms such as RADIUS or LDAP to authenticate L2TP clients. All L2TP clients are challenged when a connection attempt is made.

To enable authentication, you must create user accounts and a user group to identify the L2TP clients that need access to the network behind the FortiGate unit.

You can choose to use a plain text password for authentication or forward authentication requests to an external RADIUS or LDAP server. If password protection will be provided through a RADIUS or LDAP server, you must configure the FortiGate unit to forward authentication requests to the authentication server.

Enabling L2TP and specifying an address range

The L2TP address range specifies the range of addresses reserved for remote clients. When a remote client connects to the FortiGate unit, the client is assigned an IP address from this range. Afterward, the FortiGate unit uses the assigned address to communicate with the remote client.

The address range that you reserve can be associated with private or routable IP addresses. If you specify a private address range that matches a network behind the FortiGate unit, the assigned address will make the remote client appear to be part of the internal network.

To enable L2TP and specify the L2TP address range, use the config vpn l2tp CLI command.

The following example shows how to enable L2TP and set the L2TP address range using a starting address of 192.168.10.80 and an ending address of 192.168.10.100 for an existing group of L2TP users named L2TP_users:

config vpn l2tp

set sip 192.168.10.80 set eip 192.168.10.100 set status enable

set usrgrp L2TP_users end

Defining firewall source and destination addresses

Before you define the security policy, you must define the source and destination addresses of packets that are to be transported through the L2TP tunnel:

For the source address, enter the range of addresses that you reserved for remote L2TP clients (for example 192.168.10.[80-100]).
For the destination address, enter the IP addresses of the computers that the L2TP clients need to access on the private network behind the FortiGate unit (for example, 172.16.5.0/24 for a subnet, or 172.16.5.1 for a server or host, or 192.168.10.[10-15] for an IP address range).

To define the firewall source address

1. Go to Policy & Objects > Objects > Addresses and select Create New.

2. Select a Category.

3. In the Address Name field, type a name that represents the range of addresses that you reserved for remote clients (for example, Ext_L2TPrange).

4. In Type, select IP Range.

5. In the IP Range field, type the corresponding IP address range.

6. In Interface, select the FortiGate interface that connects to the clients.

7. This is usually the interface that connects to the Internet.

8. Select OK.

To define the firewall destination address

1. Go to Policy & Objects > Objects > Addresses and select Create New.

2. In the Address Name field, type a name that represents a range of IP addresses on the network behind the FortiGate unit (for example, Int_L2TPaccess).

3. In Type, select IP Range.

4. In the IP Range field, type the corresponding IP address range.

5. In Interface, select the FortiGate interface that connects to the network behind the FortiGate unit.

6. Select OK.

Adding the security policy

The security policy specifies the source and destination addresses that can generate traffic inside the L2TP tunnel and defines the scope of services permitted through the tunnel. If a selection of services are required, define a service group.

To define the traffic and services permitted inside the L2TP tunnel

1. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

2. Enter these settings:

	Incoming Interface	Select the FortiGate interface to the Internet.
	Source Address	Select the name that corresponds to the address range that reserved for L2TP clients (for example, Ext_L2TPrange).
	Outgoing Interface	Select the FortiGate interface to the internal (private) network.
	Destination Address	Select the name that corresponds to the IP addresses behind the FortiGate unit (for example, Int_L2TPaccess).
	Service	Select ALL, or if selected services are required instead, select the service group that you defined previously.
	Action	ACCEPT
3.	Select OK.

Configuring a Linux client

This procedure outlines how to install L2TP client software and run an L2TP tunnel on a Linux computer. Obtain an L2TP client package that meets your requirements (for example, rp-l2tp). If needed to encrypt traffic, obtain L2TP client software that supports encryption using MPPE.

To establish an L2TP tunnel with a FortiGate unit that has been set up to accept L2TP connections, you can obtain and install the client software following these guidelines:

1. If encryption is required but MPPE support is not already present in the kernel, download and install an MPPE kernel module and reboot your computer.

2. Download and install the L2TP client package.

3. Configure an L2TP connection to run the L2TP program.

4. Configure routes to determine whether all or some of your network traffic will be sent through the tunnel. You must define a route to the remote network over the L2TP link and a host route to the FortiGate unit.

5. Run l2tpd to start the tunnel.

Follow the software supplier’s documentation to complete the steps.

To configure the system, you need to know the public IP address of the FortiGate unit, and the user name and password that has been set up on the FortiGate unit to authenticate L2TP clients. Contact the FortiGate administrator if required to obtain this information.

Monitoring L2TP sessions

You can display a list of all active sessions and view activity by port number. By default, port 1701 is used for L2TP VPN-related communications. If required, active sessions can be stopped from this view. Use the Top Sessions Dashboard Widget.

Testing L2TP VPN connections

To confirm that a VPN between a local network and a dialup client has been configured correctly, at the dialup client, issue a ping command to test the connection to the local network. The VPN tunnel initializes when the dialup client attempts to connect.

Logging L2TP VPN events

You can configure the FortiGate unit to log VPN events. For L2TP VPNs, connection events and tunnel status (up/down) are logged.

To log VPN events – web-based manager

1. Go to Log & Report > Log Config > Log Settings.

2. Enable the storage of log messages to one or more locations.

3. Select Enable, and then select VPN activity event.

4. Select Apply.

To log VPN events – CLI

config log memory setting set diskfull overwrite set status enable

end

config log eventfilter set vpn enable

end

FortiAnalyzer 5.4.2 Release Notes

Leave a reply

Change Log

Date	Change Description
2016-12-14	Initial release of 5.4.2.
2016-12-15	Added 400028 to Known Issues and 389255 and 383563 to Resolved Issues. Noted that FortiAnalyzer supports Microsoft Hyper-V 2016 in the FortiAnalyzer VM Firmware section.

Introduction

This document provides the following information for FortiAnalyzer version 5.4.2 build 1151:

l Supported models l What’s new in FortiAnalyzer version 5.4.2 l Special Notices l Upgrade Information l Product Integration and Support l Resolved Issues l Known Issues

For more information on upgrading your FortiAnalyzer device, see the FortiAnalyzer Upgrade Guide.

Supported models

FortiAnalyzer version 5.4.2 supports the following models:

FortiAnalyzer	FAZ-200D, FAZ-300D, FAZ-400E, FAZ-1000D, FAZ-1000E, FAZ-2000B, FAZ-2000E, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ-3500E, FAZ-3500F, FAZ-3900E, and FAZ4000B.
FortiAnalyzer VM	FAZ-VM64, FAZ-VM64-AWS, FAZ-VM64-Azure, FAZ-VM64-HV, FAZ-VM64-KVM, and FAZ-VM64-XEN (Citrix XenServer and Open Source Xen).

Introduction What’s new in FortiAnalyzer version 5.4.2

What’s new in FortiAnalyzer version 5.4.2

The following is a list of new features and enhancements in FortiAnalyzer version 5.4.2.

Security Service—Indicators of Compromise

IOC Enhancement

Improved threat catch rate

FortiView

FortiView improvements

Improved filters, refresh interval selection and summary headers on drilldown l Performance improvements
Device-level hcache now supported in FortiView

Reports

SAAS Application Report

Default report template for monitoring sanctioned and unsanctioned SAAS applications

Cyber Threat Assessment Report

New report template for cyber threat assessment Report Usability Improvements

l Simplified template configuration l Streamlined report workflow

Event Management

Events Calendar View

Displays alerts on calendar with weekly/monthly views for quick access and intuitive event monitoring

What’s new in FortiAnalyzer version 5.4.2 Introduction

Log View

Add CVE-ID to Log View

Common Vulnerabilities and Exposures number (CVE ID) for known security threats added to Log View > Security > Intrusion Prevention

System Settings

Dashboard

New widget for collector mode to monitor log forwarding rate

Product Intgration

Support for FortiAuthenticator integration

Help

Links to how-to videos in the Help menu

Special Notices

This section highlights some of the operational changes that administrators should be aware of in FortiAnalyzer version 5.4.2.

IPsec connection to FortiOS for logging

FortiAnalyzer 5.4.2 no longer supports an IPsec connection with FortiOS 5.0/5.2. However UDP or TCP + reliable are supported.

Instead of IPsec, you can use the FortiOS reliable logging feature to encrypt logs and send them to FortiAnalyzer. You can enable the reliable logging feature on FortiOS by using the configure log fortianalyzer setting command. You can also control the encryption method on FortiOS by using the set encalgorithm default/high/low/disable command.

FortiAnalyzer 5.4.1 and earlier does support IPsec connection with FortiOS 5.0/5.2.

Datasets Related to Browse Time

FortiAnalyzer 5.4.2 contains enhancements to calculating the estimated browse time. Due to the changes, cloned datasets that query for browse time may not be able to return any results after upgrade.

System Configuration or VM License is Lost after Upgrade

When upgrading FortiAnalyzer from 5.4.0 or 5.4.1 to 5.4.2, it is imperative to reboot the unit before installing the

5.4.2 firmware image. Please see the FortiAnalyzer Upgrade Guide for details about upgrading. Otherwise, FortiAnalyzer may lose system configuration or VM license after upgrade. There are two options to recover the FortiAnalyzer unit:

Reconfigure the system configuration or add VM license via CLI with execute add-vm-license <vm license>.
Restore the 5.4.0 backup and upgrade to 5.4.2.

SSLv3 on FortiAnalyzer-VM64-AWS

Due to known vulnerabilities in the SSLv3 protocol, FortiAnalyzer-VM64-AWS only enables TLSv1 by default. All other models enable both TLSv1 and SSLv3. If you wish to disable SSLv3 support, please run:

config system global set ssl-protocol t1sv1 end

No support for remote SQL database Special Notices

No support for remote SQL database

Starting with FortiAnalyzer software versions 5.0.7 and 5.2.0, remote SQL database support will only cover the insertion of log data into the remote MySQL database. Historical log search and reporting capabilities, which rely on the remote SQL data, will no longer be supported.

Those wishing to use the full set of FortiAnalyzer features are encouraged to switch as soon as possible to storing SQL data locally on the FortiAnalyzer. The local database can be built based upon existing raw logs already stored on the FortiAnalyzer.

Pre-processing logic of ebtime

Logs with the following conditions met are considered usable for the calculation of estimated browsing time:

Traffic logs with logid of 13 or 2, when logid == 13, hostname must not be empty. The service field should be either HTTP, 80/TCP or 443/TCP.

If all above conditions are met, then devid, vdom, and user (srcip if user is empty) are combined as a key to identify a user. For time estimation, the current value of duration is calculated against history session start and end time, only un-overlapped part are used as the ebtime of the current log.

In version 5.0.5 or later, Explicit Proxy logs (logid=10) are checked when calculating the estimated browsing time.

Log Aggregation or Forwarding

Log aggregation or forwarding works from 5.4 to 5.4 or 5.4.1 to 5.4.1. Please use the same FortiAnalyzer version on all the units. Other FortiAnalyzer versions not supported.

Upgrade Information

Upgrading to FortiAnalyzer 5.4.2

You can upgrade FortiAnalyzer 5.2.0 or later directly to 5.4.2.If you are upgrading from versions earlier than 5.2.0, you will need to upgrade to FortiAnalyzer 5.2 first. (We recommend that you upgrade to 5.2.9, the latest version of FortiAnalyzer 5.2.)

Downgrading to previous versions

FortiAnalyzer does not provide a full downgrade path. You can downgrade to a previous firmware release via the GUI or CLI, but doing so results in configuration loss. A system reset is required after the firmware downgrading process has completed. To reset the system, use the following CLI commands via a console port connection:

execute reset all-settings execute format {disk | disk-ext4}

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service &

Support portal, https://support.fortinet.com. To verify the integrity of the download, select the Checksum link next to the HTTPS download link. A dialog box will be displayed with the image file name and checksum code. Compare this checksum with the checksum of the firmware image.

FortiAnalyzer VM firmware

Fortinet provides FortiAnalyzer VM firmware images for Amazon AWS, Citrix and Open Source XenServer, Linux KVM, Microsoft Hyper-V Server, and VMware ESX/ESXi virtualization environments.

Amazon Web Services l The 64-bit Amazon Machine Image (AMI) is available on the AWS marketplace.

FortiAnalyzer VM firmware Upgrade Information

Citrix XenServer and Open Source XenServer

.out: Download the 64-bit firmware image to upgrade your existing FortiAnalyzer VM installation.
.out.OpenXen.zip: Download the 64-bit package for a new FortiAnalyzer VM installation. This package contains the QCOW2 file for the Open Source Xen Server.
.out.CitrixXen.zip: Download the 64-bit package for a new FortiAnalyzer VM installation. This package contains the Citrix XenServer Disk (VHD), and OVF files.

Linux KVM

.out: Download the 64-bit firmware image to upgrade your existing FortiAnalyzer VM installation.
.out.kvm.zip: Download the 64-bit package for a new FortiAnalyzer VM installation. This package contains QCOW2 that can be used by qemu.

Microsoft Azure

The files for Microsoft Azure have AZURE in the filenames, for example FAZ_VM64_AZURE-v<number>build<number>-FORTINET.out.hyperv.zip.

.out: Download the firmware image to upgrade your existing FortiAnalyzer VM installation.
.hyperv.zip: Download the package for a new FortiAnalyzer VM installation. This package contains a Virtual Hard Disk (VHD) file for Microsoft Azure.

Microsoft Hyper-V Server

The files for Microsoft Hyper-V Server have HV in the filenames, for example, FAZ_VM64_HV-v<number>build<number>-FORTINET.out.hyperv.zip.

.out: Download the firmware image to upgrade your existing FortiAnalyzer VM installation.
.hyperv.zip: Download the package for a new FortiAnalyzer VM installation. This package contains a Virtual Hard Disk (VHD) file for Microsoft Hyper-V Server.

VMware ESX/ESXi

.out: Download either the 64-bit firmware image to upgrade your existing VM installation.
.ovf.zip: Download either the 64-bit package for a new VM installation. This package contains an Open Virtualization Format (OVF) file for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF file during deployment.

For more information see the FortiManager product data sheet available on the Fortinet web site, http://www.fortinet.com/products/fortimanager/virtual-security management.html. VM installation guides are available in the Fortinet Document Library.

Upgrade Information SNMP MIB files

SNMP MIB files

You can download the FORTINET-FORTIMANAGER-FORTIANALYZER.mib MIB file in the firmware image file folder. The Fortinet Core MIB file is located in the main FortiAnalyzer v5.00 file folder.

Product Integration and Support

FortiAnalyzer version 5.4.2 support

The following table lists FortiAnalyzer version 5.4.2 product integration and support information:

Web Browsers	l Microsoft Internet Explorer version 11 l Mozilla Firefox version 50 l Google Chrome version 54 Other web browsers may function correctly, but are not supported by Fortinet.
FortiOS/FortiOS Carrier	l 5.4.0 to 5.4.2 l 5.2.0 to 5.2.10 l 5.0.4 to 5.0.12 l 4.3.2 to 4.3.18
FortiAnalyzer	l 5.4.0 to 5.4.2 l 5.2.0 to 5.2.9 l 5.0.0 to 5.0.13
FortiCache	l 4.1.3 l 4.0.4
FortiClient	l 5.2.0 and later l 5.0.4 and later
FortiMail	l 5.3.8 l 5.2.9 l 5.1.6 l 5.0.10
FortiManager	l 5.4.0 to 5.4.2 l 5.2.0 and later l 5.0.0 and later

Feature support

FortiSandbox		l 2.3.2 l 2.2.2 l 2.1.3 l 2.0.3 l 1.4.0 and later l 1.3.0 l 1.2.0 and 1.2.3
FortiSwitch ATCA		l 5.0.0 and later l 4.3.0 and later l 4.2.0 and later
FortiWeb		l 5.6.0 l 5.5.4 l 5.4.1 l 5.3.8 l 5.2.4 l 5.1.4 l 5.0.6
FortiDDoS		l 4.2.3 l 4.1.12
FortiAuthenticator		l 4.2.0
Virtualization		l Amazon Web Service AMI, Amazon EC2, Amazon EBS l Citrix XenServer 6.2 l Linux KVM Redhat 6.5 l Microsoft Azure l Microsoft Hyper-V Server 2008 R2, 2012 & 2012 R2 l OpenSource XenServer 4.2.5 l VMware: l ESX versions 4.0 and 4.1 l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, and 6.0

Feature support

The following table lists FortiAnalyzer feature support for log devices.

FortiGate Management

Platform	Log View	FortiView	Event Management	Reports
FortiGate	ü	ü	ü	ü
FortiCarrier	ü	ü	ü	ü
FortiAnalyzer	ü		ü
FortiCache	ü		ü	ü
FortiClient registered to FortiGate	ü	ü		ü
FortiClient registered to FortiClient EMS	ü	ü		ü
FortiDDoS	ü	ü	ü	ü
FortiMail	ü		ü	ü
FortiManager	ü		ü
FortiSandbox	ü		ü	ü
FortiWeb	ü		ü	ü
Syslog	ü		ü

FortiGate Management

You can enable FortiManager features on some FortiAnalyzer models. FortiAnalyzer models with FortiManager features enabled can manage a small number of FortiGate devices, and all but a few FortiManager features are enabled on FortiAnalyzer. The following table lists the supported modules for FortiAnalyzer with FortiManager Features enabled:

FortiManager Management Modules	FortiAnalyzer with FortiManager Features Enabled
Device Manager	ü
Policy & Objects	ü
AP Manager	ü

Language support

FortiManager Management Modules	FortiAnalyzer with FortiManager Features Enabled
FortiClient Manager	ü
VPN Manager	ü
FortiGuard
FortiMeter
FGT-VM License Activation

Language support

The following table lists FortiAnalyzer language support information.

Language	GUI	Reports
English	ü	ü
Chinese (Simplified)	ü	ü
Chinese (Traditional)	ü	ü
French		ü
Hebrew		ü
Hungarian		ü
Japanese	ü	ü
Korean	ü	ü
Portuguese		ü
Russian		ü
Spanish		ü

To change the FortiAnalyzer language setting, go to System Settings > Admin > Admin Settings, in Administrative Settings > Language select the desired language from the drop-down list. The default value is Auto Detect.

Russian, Hebrew, and Hungarian are not included in the default report languages. You can import language translation files for these languages via the command line interface using one of the following commands:

execute sql-report import-lang <language name> <ftp> <server IP address> <user name> <password> <file name>

execute sql-report import-lang <language name> <sftp <server IP address> <user name>

<password> <file name> execute sql-report import-lang <language name> <scp> <server IP address> <user name>

<password> <file name> execute sql-report import-lang <language name> <tftp> <server IP address> <file name> For more information, see the FortiAnalyzer CLI Reference.

Supported models

The following tables list which FortiGate, FortiCarrier, FortiDDoS, FortiAnalyzer, FortiMail, FortiManager, FortiWeb, FortiCache, and FortiSandbox models and firmware versions can log to a FortiAnalyzer appliance running version 5.4.2. Please ensure that the log devices are supported before completing the upgrade.

FortiGate models

Model

Firmware Version

FortiGate: FG-30D, FG-30D-POE, FG-30E, FG-30E-3G4G-INTL, FG-30E-

3G4G-NAM, FG-50E, FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E,

FG-61E, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D,

FG-90D-POE,FG-90E, FG-91E, FG-92D, FG-94D-POE, FG-98D-POE, FG-

100D, FG-100E, FG-101E, FG-140D, FG-140D-POE, FG-200D, FG-200DPOE, FG-240D, FG-240D-POE, FG-280D-POE, FG-200E, FG-201E, FGT-

300D, FG-400D, FG-500D, FG-600C, FG-600D, FG-800C, FG-800D, FG-

900D, FG-1000C, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-

3000D, FG-3100D, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG3700DX, FG-3810D, FG-3815D, FG-2000E, FG-2500E, FG 3800D, FG7040E-1, FG-7040E-2, FG-7040E-3, FG-7040E-4, FG-7040E-5,FG-7040E6, FG-7060E-1, FG-7060E-2, FG-7060E-3, FG-7060E-4, FG-7060E-5,FG7060E-6

FortiGate 5000 Series: FG-5001C, FG-5001D

FortiGate DC: FG-80C-DC, FG-600C-DC, FG-800C-DC, FG-1000C-DC,

FG-1500D-DC, FG-3000D-DC, FG-3100D-DC, FG-3200D-DC, FG-3240CDC, FG-3600C-DC, FG-3700D-DC, FG-3800D-DC, FG-3810D-DC

FortiGate Low Encryption: FG-80C-LENC, FG-100D-LENC, FG-600CLENC, FG-1000C-LENC

FortiWiFi: FWF-30D, FWF-30E, FWF-30E-3G4G-INTL, FWF-30E-3G4G-

NAM, FWF-50E, FWF-50E-2R, FWF-51E, FWF-30D-POE, FWF-60D,

FWF-60D-POE, FWF-90D, FWF-90D-POE, FWF-92D, FWF-60E, FWF61E, FWF-80CM, FWF-81CM

FortiGate VM: FG-VM, FG-VM64, FG-VM64-AWS, FG-VM64AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN, FGVMX-Service-Manager

FortiGate Rugged: FGR-30D, FGR-35D, FGR-60D, FGR-90D

5.4

Model

Firmware Version

FortiGate: FG-20C, FG-20C-ADSL-A, FG-30D, FG-30D-POE, FG-40C,

FG-60C, FG-60C-POE, FG-60C-SFP, FG-60D, FG-60D-3G4G-VZW, FG-

60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D,

FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-110C,

FG-111C, FG-140D, FG-140D-POE, FG-140D-POE-T1, FG-200B, FG200B-POE, FG-200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-

POE, FG-300C, FG-300D, FG-310B, FG-311B, FG-400D, FG-500D, FG600D, FG-900D, FG-600C, FG-620B, FG-621B, FG-800C, FG-800D, FG-

1000C, FG-1000D, FG-1200D, FG-1240B, FG-1500D, FG-1500DT, FG-

3000D, FG-3016B, FG-3040B, FG-3100D, FG-3140B, FG-3200D, FG-

3240C, FG-3600C,FG-3700D, FG-3700DX, FG-3810A, FG-3810D, FG3815D, FG-3950B, FG-3951B

FortiGate 5000 Series: FG-5001A, FG-5001A-SW, FG-5001A-LENC, FG5001A-DW-LENC, FG-5001A-SW-LENC, FG-5001B, FG-5001C, FG5001D, FG-5101C

FortiGate DC: FG-80C-DC, FG-300C-DC, FG-310B-DC, FG-600C-DC,

FG-620B-DC, FG-621B-DC, FG-800C-DC, FG-1000C-DC, FG-1240B-DC,

FGT-1500D-DC, FG-3000D-DC, FG-3040B-DC, FG-3100D-DC, FG-3140B-

DC, FG-3200D-DC, FG-3240C-DC, FG-3600C-DC, G-3700D-DC, FG3810A-DC, FG-3810D-DC, FG-3815D-DC, FG-3950B-DC, FG-3951B-DC

FortiGate Low Encryption: FG-20C-LENC, FG-40C-LENC, FG-60CLENC, FG-80C-LENC, FG-100D-LENC, FG-200B-LENC, FG-300C-LENC,

FG-620B-LENC, FG-1000C-LENC, FG-1240B-LENC, FG-3040B-LENC,

FG-310B-LENC, FG-600C-LENC, FG-3140B-LENC, FG-3810A-LENC, FG3950B-LENC

FortiWiFi: FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-30D-POE, FWF-

40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A, FWF-60D, FWF-60D3G4G-VZW, FWF-60D-POE, FWF-80CM, FWF-81CM, FWF-90D, FWF90D-POE, FWF-92D

FortiGate Rugged: FGR-60D, FGR-100C

FortiGate VM: FG-VM-Azure, FG-VM, FG-VM64, FG-VM64-HV, FG-

VM64-KVM, FG-VM64-XEN

FortiSwitch: FS-5203B, FCT-5902D

5.2

Model

Firmware Version

FortiGate: FG-20C, FG-20C-ADSL-A, FG-30D, FG-30D-POE, FG-40C,

FG-60C, FG-60C-POE, FG-60C-SFP, FG-60D, FG-60D-3G4G-VZW, FG-

60D-POE, FG-70D, FG-70D-POE, FG-80C, FG-80CM, FG-80D, FG-90D,

FG-90D-POE, FG-92D, FG-94D-POE, FG-98D-POE, FG-100D, FG-110C,

FG-111C, FG-140D, FG-140D-POE, FG-140D-POE-T1, FG-200B, FG200B-POE, FG-200D, FG-200D-POE, FG-240D, FG-240D-POE, FG-280D-

POE, FG-300C, FG-300D, FG-310B, FG-311B, FG-500D, FG-600C, FG-

620B, FG-621B, FG-700D, FG-800C, FG-900D, FG-1000C, FG-1000D,

FG-1200D, FG-1240B, FG-1500D, FG-3000D, FG-3016B, FG-3040B, FG-

3100D, FG-3140B, FG-3200D, FG-3240C, FG-3600C, FG-3700D, FG3810A, FG-3950B, FG-3951B

FortiGate 5000 Series: FG-5001A, FG-5001A-SW, FG-5001A-LENC, FG5001A-DW-LENC, FG-5001A-SW-LENC, FG-5001B, FG-5001C, FG5001D, FG-5101C

FortiGate DC: FG-80C-DC, FG-300C-DC, FG-310B-DC, FG-600C-DC,

FG-620B-DC, FG-621B-DC, FG-800C-DC, FG-1000C-DC, FG-1240B-DC,

FG-3000D-DC, FG-3040B-DC, FG-3100D-DC, FG-3140B-DC, FG-3200D-

DC, FG-3240C-DC, FG-3600C-DC, FG-3700D-DC, FG-3810A-DC, FG3950B-DC, FG-3951B-DC

FortiGate Low Encryption: FG-20C-LENC, FG-40C-LENC, FG-60CLENC, FG-80C-LENC, FG-100D-LENC, FG-200B-LENC, FG-300C-LENC,

FG-310B-LENC, FG-600C-LENC, FG-620B-LENC, FG-1000C-LENC, FG-

1240B-LENC, FG-3040B-LENC, FG-3140B-LENC, FG-3810A-LENC, FG3950B-LENC

FortiWiFi:FWF-20C, FWF-20C-ADSL-A, FWF-30D, FWF-30D-POE, FWF-

40C, FWF-60C, FWF-60CM, FWF-60CX-ADSL-A, FWF-60D, FWF-60DPOE, FWF-60D-3G4G-VZW, FWF-80CM, FWF-81CM, FWF-90D, FWF90D-POE, FWF-92D

FortiGate Rugged: FGR-60D, FGR-90D, FGR-100C

FortiGateVoice: FGV-40D2, FGV-70D4

FortiGate VM: FG-VM, FG-VM64, FG-VM64-AWS, FG-VM64AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VM64-XEN

FortiSwitch: FS-5203B

5.0

FortiCarrier Models

Model	Firmware Version
FortiCarrier: FCR-3000D, FCR-3100D, FCR-3200D, FCR-3700D, FCR3700DX, FCR-3800D, FCR-3810D, FCR-3815D, FCR-5001C, FCR-5001D, FCR-3000D-DC, FCR-3100D-DC, FCR-3200D-DC, FCR-3240C, FCR3600C, FCR-3700D-DC, FCR-3810D-DC, FCR-5001C FortiCarrier DC: FCR-3000D-DC, FCR-3100D-DC, FCR-3200D-DC, FCR- 3240C-DC, FCR-3600C-DC, FCR-3700D-DC, FCR-3810D-DC, FCR3815D-DC FortiCarrier VM: FCR-VM, FCR-VM64, FCR-VM64-AWS, FCR-VM64AWSONDEMAND, FCR-VM64-HV, FCR-VM64-KVM	5.4
FortiCarrier: FCR-3000D, FCR-3100D, FCR-3200D, FCR-3240C, FCR3600C, FCR-3700D, FCR-3700DX, FCR-3810A, FCR-3810D, FCR-3815D, FCR-3950B, FCR-3951B, FCR-5001A, FCR-5001B, FCR-5001C,FCR5001D, FCR-5101C, FCR5203B, FCR-5902D FortiCarrier DC: FCR-3000D-DC, FCR-3100D-DC, FCR-3200D-DC, FCR- 3700D-DC, FCR-3810D-DC FortiCarrier Low Encryption: FCR-5001A-DW-LENC FortiCarrier VM: FCR-VM, FCR-VM64, FCR-VM64-HV, FCR-VM64-KVM, FCR-Vm64-XEN, FCR-VM64-AWSONDEMAND	5.2
FortiCarrier: FCR-3240C, FCR-3600C, FCR-3810A, FCR-3950B, FCR3951B, FCR-5001A, FCR-5001B, FCR-5001C, FCR-5001D, FCR-5101C FortiCarrier DC: FCR-3240C-DC, FCR-3600C-DC, FCR-3810A-DC, FCR- 3950B-DC, FCR-3951B-DC FortiCarrier Low Encryption: FCR-5001A-DW-LENC FortiCarrier VM: FCR-VM, FCR-VM64	5.0

FortiDDoS models

Model	Firmware Version
FortiDDoS: FI-200B, FI-400B, FI-600B, FI-800B, FI-900B, FI-1000B, FI1200B, FI-2000B	4.2, 4.1, 4.0

FortiAnalyzer models

Model	Firmware Version
FortiAnalyzer: FAZ-200D, FAZ-300D, FAZ-400E, FAZ-1000D, FAZ1000E, FAZ-2000B, FAZ-2000E, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ-3500E, FAZ-3500F, FAZ-3900E, and FAZ-4000B. FortiAnalyzer VM: FAZ-VM64, FAZ-VM64-Azure, FAZ-VM64-HV, FAZVM64-XEN (Citrix XenServer and Open Source Xen), FAZ-VM64-KVM, and FAZ-VM64-AWS.	5.4
FortiAnalyzer: FAZ-100C, FAZ-200D, FAZ-200E, FAZ-300D, FAZ-400C, FAZ-400E, FAZ-1000C, FAZ-1000D, FAZ-1000E, FAZ-2000B, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ-3500E, FAZ-3500F, FAZ-3900E, FAZ-4000B FortiAnalyzer VM: FAZ-VM, FAZ-VM-AWS, FAZ-VM64, FAZ-VM64- Azure, FAZ-VM64-HV, FAZ-VM64-KVM, FAZ-VM64-XEN	5.2
FortiAnalyzer: FAZ-100C, FAZ-200D, FAZ-200E, FAZ-300D, FAZ-400B, FAZ-400C, FAZ-400E, FAZ-1000B, FAZ-1000C, FAZ-1000D, FAZ-1000E, FAZ-2000A, FAZ-2000B, FAZ-3000D, FAZ-3000E, FAZ-3000F, FAZ3500E, FAZ-3500F, FAZ-4000A, FAZ-4000B FortiAnalyzer VM: FAZ-VM, FAZ-VM64, FAZ-VM64-AWS, FAZ-VM64- Azure, FAZ-VM64-HV, FAZ-VM-KVM, FAZ-VM-XEN	5.0

FortiMail models

Model	Firmware Version
FortiMail: FE-60D, FE-200D, FE-200E, FE-400C, FE-400E, FE-1000D, FE- 2000B, FE-2000E, FE-3000C, FE-3000D, FE-3000E, FE-3200E, FE-5002B FortiMail Low Encryption: FE-3000C-LENC FortiMail VM: FE-VM64, FE-VM64-HV, FE-VM64-XEN	5.3.7
FortiMail: FE-60D, FE-200D, FE-200E, FE-400C, FE-400E, FE-1000D, FE2000B, FE-3000C, FE-3000D, FE-5002B FortiMail VM: FE-VM64, FE-VM64-HV, FE-VM64-XEN	5.2.8
FortiMail: FE-100C, FE-200D, FE-200E, FE-400B, FE-400C, FE-400E, FE- 1000D, FE-2000B, FE-3000C, FE-3000D, FE-5001A, FE-5002B FortiMail VM: FE-VM64	5.1.6
FortiMail: FE-100C, FE-200D, FE-200E, FE-400B, FE-400C, FE-1000D, FE-2000A, FE-2000B, FE-3000C, FE-3000D, FE-4000A, FE-5001A, FE5002B FortiMail VM: FE-VM64	5.0.10

FortiSandbox models

Model

Firmware Version

FortiSandbox: FSA-1000D, FSA-3000D, FSA-3000E, FSA-3500D

FortiSandbox VM: FSA-VM

2.3.2

FortiSandbox: FSA-1000D, FSA-3000D, FSA-3500D

FortiSandbox VM: FSA-VM

2.2.0

2.1.0

FortiSandbox: FSA-1000D, FSA-3000D

FortiSandbox VM: FSA-VM

2.0.0

1.4.2

FortiSandbox: FSA-1000D, FSA-3000D

1.4.0 and 1.4.1

1.3.0

1.2.0 and later

FortiSwitch ACTA models

Model	Firmware Version
FortiController: FTCL-5103B, FTCL-5902D, FTCL-5903C, FTCL-59	5.2.0
FortiSwitch-ATCA: FS-5003A, FS-5003B FortiController: FTCL-5103B, FTCL-5903C, FTCL-5913C	5.0.0
FortiSwitch-ATCA: FS-5003A, FS-5003B	4.3.0 4.2.0

FortiWeb models

Model	Firmware Version
FortiWeb: FWB-2000E	5.6.0
FortiWeb: FWB-100D, FWB-400C, FWB-400D, FWB-1000C, FWB-1000D, FWB-3000C, FWB-3000CFSX, FWB-3000D, FWB-3000DFSX, FWB3000E, FWB-3010E, FWB-4000C, FWB-4000D, FWB-4000E FortiWeb VM: FWB-VM-64, FWB-XENAWS, FWB-XENOPEN, FWB- XENSERVER, FWB-HYPERV, FWB-KVM, FWB-AZURE	5.5.3
Model	Firmware Version
FortiWeb: FWB-100D, FWB-400C, FWB-1000C, FWB-3000C, FWB3000CFSX, FWB-3000D, FWB-3000DFSX, FWB-3000E, FWB-4000C, FWB-4000D, FWB-4000E FortiWeb VM: FWB-VM64, FWB-XENAWS, FWB-XENOPEN, FWB- XENSERVER, FWB-HYPERV	5.4.1
FortiWeb: FWB-100D, FWB-400B, FWB-400C, FWB-1000B, FWB-1000C, FWB-1000D, FWB-3000C, FWB-3000CFSX, FWB-3000D, FWB3000DFSX, FWB-3000E, FWB-4000C, FWB-4000D, FWB-4000E FortiWeb VM: FWB-VM64, FWB-XENAWS, FWB-XENOPEN, FWB- XENSERVER, and FWB-HYPERV	5.3.8
FortiWeb: FWB-100D, FWB-400B, FWB-400C, FWB-1000B, FWB-1000C, FWB-1000D, FWB-3000C, FWB-3000CFSX, FWB-3000D, FWB3000DFSX, FWB-3000E, FWB-4000C, FWB-4000D, FWB-4000E FortiWeb VM: FWB-VM64, FWB-HYPERV,FWB-XENAWS, FWBXENOPEN, FWB-XENSERVER	5.2.4

FortiCache models

Model	Firmware Version
FortiCache: FCH-400C, FCH-400E, FCH-1000C, FCH-1000D, FCH3000C, FCH-3000D, FCH-3900E FortiCache VM: FCH-VM64	4.0

Resolved Issues

The following issues have been fixed in FortiAnalyzer version 5.4.2. For inquires about a particular bug, please contact Customer Service & Support.

Device Manager

Bug ID	Description
382383	When there are many unregistered devices, they may intermittently disconnect from FortiAnalyzer.
382811	FortiAnalyzer should be able to sustain stable connections with more than 3500 devices and able to receive logs successfully.
306276	FortiCarrier ADOM should not be displayed when no device is registered.

FortiView

Bug ID	Description
217103	FortiAnalyzer should allow users to view or download the Application Control archive files.
233869	There should be an option to clear search history.
371773	There may be performance issues to view logs when using the scroll bar.
379612	The filter, [-msg=”Virtual cluster’s vdom is added”], should display the relevant logs in the Log View.
379977	FortiAnalyzer cannot filter out users for SSL & Dialup IPSec VPNs.
382557	Drop box may become too narrow to view and select FortiGate device.
386279	Users need to click on the Go button twice before the log time frame is updated.
308171	Aggregated Dialed Time is incorrectly calculated in VPN-Top-Dial-Up and VPN-Users-ByDuration datasets.
387209	FortiGate devices that query FortiGuard should not be flagged as highly suspicious.
390173	FortiAnalyzer is unable to display part of the DLP content.

Logging Resolved Issues

Bug ID	Description
395191	UTM Deny logs are displayed with no action on FortiAnalyzer’s GUI.
397036	FortiAnalyzer should accept more characters for log view and policy search.

Logging

Bug ID	Description
373262	FortiAnalyzer should allow users to specify the invoke time to auto delete logs.
381559	HA device logs are not received in aggregation mode.
383238	FortiAnalyzer should increase the limit for the number of aggregated clients.
393615	When using wildcard in the second or third octet for source IP in the Log View filter, incorrect results are returned.

Reporting

Bug ID	Description
248563	Within the WiFi Network Summary report, AP Name should be the FortiAP’s name instead of the VAP interface’s name.
373718	Reports show devices with their serial numbers instead of hostnames.
377589	Blocked sites should not be counted within the Top 50 Site By Browsing Time.
383251	Reports may not contain any user data when a user filter is applied.
234007	Estimated browsing time dataset should pull log data according to time period specified.
383955	GUI fails to display chart library if there is a chart with invalid table columns.
397822	Users may not be able to generate custom reports after resizing FAZ-VM disk and rebuilding DB.
391482	User changes on LDAP server may not get updated on FortiAnalyzer for the user filter in reports.

Resolved Issues System Settings

System Settings

Bug ID	Description
386865	Sorting for Analytics or Archive does not work on the Storage Info page.
391076	Qmail server is rejecting Email from FortiAnalyzer as the mail body contains bare LFs.
366224	FortiAnalyzer generates invalid Event logs on auto deleting policy from ADOM.

Bug ID

Description

384180

FortiAnalyzer 5.4.2 is no longer vulnerable to the following TMP Reference:

2016-0023

Visit https://fortiguard.com/psirt for more information.

380634

FortiAnalyzer 5.4.2 is no longer vulnerable to the following CVE-Reference:

2016-5387

Visit https://fortiguard.com/psirt for more information.

Others

Bug ID	Description
365639	The XML call to searchFazLog does not return the pktlog information.
366332	Logs are not imported when there are more than 1000 log files.
376758	FortiAnalyzer needs a diagnostic command to show supported platforms.
388071	FortiAnalyzer may not be able to render a proper web GUI page when making a change.
389137	Port 8900 and 8901 may be open without being in use.
391900	Scheduled log ftp backup may not be successful.

Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures Resolved Issues

Bug ID

Description

389255

FortiAnalyzer5.4.2 is no longer vulnerable to the following CVE-References:

l 2016-6308 l 2016-6307 l 2016-6306 l 2016-6305 l 2016-6304 l 2016-6303 l 2016-6302 l 2016-2183 l 2016-2182 l 2016-2181 l 2016-2179 l 2016-2178 l 2016-2177

Visit https://fortiguard.com/psirt for more information.

383563

FortiAnalyzer 5.4.2 is no longer vulnerable to the following CVE-Reference:

l 2016-5696

Visit https://fortiguard.com/psirt for more information.

Known Issues

The following issues have been identified in FortiAnalyzer version 5.4.2. For inquires about a particular bug or to report a bug, please contact Fortinet Customer Service & Support.

FortiView

Bug ID	Description
396699	Filter should be persistent when changing view from formatted log to raw log or vice versa.

Bug ID	Description
395243	FortiAnalyzer should correctly show the local user and radius wildcard user who is performing delete, download, or import log file actions from Log Browse.
396417	Test Emails fails when the recipient has a different domain than the account configured under SMTP server settings.

Logging

Bug ID	Description
388185	Log files for Router should include IP addresses for sites that have multiple addresses.
389592	Filter does not return any results if message is part of the filter.
400028	Policy UUID is not inserted into SQL DB

Reporting

Bug ID	Description
390502	FortiAnalyzer should allow cloning of the pre-defined reports: User Top 500 Websites by Bandwidth and User Top 500 Websites by Session.

System Settings

Configuring L2TP VPNs

Leave a reply

Configuring L2TP VPNs

This section describes how to configure a FortiGate unit to establish a Layer Two Tunneling Protocol (L2TP) tunnel with a remote dialup client. The FortiGate implementation of L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit directly.

According to RFC 2661, an Access Concentrator (LAC) can establish an L2TP tunnel with an L2TP Network Server (LNS). In a typical scenario, the LAC is managed by an ISP and located on the ISP premises; the LNS is the gateway to a private network. When a remote dialup client connects to the Internet through the ISP, the ISP uses a local database to establish the identity of the caller and determine whether the caller needs access to an LNS through an L2TP tunnel. If the services registered to the caller indicate that an L2TP connection to the LNS is required, the ISP LAC attempts to establish an L2TP tunnel with the LNS.

A FortiGate unit can be configured to act as an LNS. The FortiGate implementation of L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit directly, bypassing any LAC managed by an ISP. The ISP must configure its network access server to forward L2TP traffic from the remote client to the FortiGate unit directly whenever the remote client requires an L2TP connection to the FortiGate unit.

When the FortiGate unit acts as an LNS, an L2TP session and tunnel is created as soon as the remote client connects to the FortiGate unit. The FortiGate unit assigns an IP address to the client from a reserved range of IP addresses. The remote client uses the assigned IP address as its source address for the duration of the connection.

More than one L2TP session can be supported on the same tunnel. FortiGate units can be configured to authenticate remote clients using a plain text user name and password, or authentication can be forwarded to an external RADIUS or LDAP server. L2TP clients are authenticated as members of a user group.

FortiGate units support L2TP with Microsoft Point-to-Point Encryption (MPPE) encryp- tion only. Later implementations of Microsoft L2TP for Windows use IPsec and require certificates for authentication and encryption. If you want to use Microsoft L2TP with IPsec to connect to a FortiGate unit, the IPsec and certificate elements must be dis- abled on the remote client.

Traffic from the remote client must be encrypted using MPPE before it is encapsulated and routed to the FortiGate unit. Packets originating at the remote client are addressed to a computer on the private network behind the FortiGate unit. Encapsulated packets are addressed to the public interface of the FortiGate unit. See the figure below.

When the FortiGate unit receives an L2TP packet, the unit disassembles the packet and forwards the packet to the correct computer on the internal network. The security policy and protection profiles on the FortiGate unit ensure that inbound traffic is screened and processed securely.

L2TP encapsulation

FortiGate units cannot deliver non-IP traffic such as Frame Relay or ATM frames encapsulated in L2TP packets— FortiGate units support the IPv4 and IPv6 addressing schemes only

Network topology

The remote client connects to an ISP that determines whether the client requires an L2TP connection to the FortiGate unit. If an L2TP connection is required, the connection request is forwarded to the FortiGate unit directly.

Example L2TP configuration

L2TP infrastructure requirements

The FortiGate unit must be operating in NAT mode and have a static public IP address.
The ISP must configure its network access server to forward L2TP traffic from remote clients to the FortiGate unit directly.
The remote client must not generate non-IP traffic (Frame Relay or ATM frames).
The remote client includes L2TP support with MPPE encryption. If the remote client includes Microsoft L2TP with IPsec, the IPsec and certificate components must be disabled.

FortiGate unit as a PPTP server

1 Reply

FortiGate unit as a PPTP server

In the most common Internet scenario, the PPTP client connects to an ISP that offers PPP connections with dynamically-assigned IP addresses. The ISP forwards PPTP packets to the Internet, where they are routed to the FortiGate unit.

FortiGate unit as a PPTP server

If the FortiGate unit will act as a PPTP server, there are a number of steps to complete:

Configure user authentication for PPTP clients.
Enable PPTP.
Specify the range of addresses that are assigned to PPTP clients when connecting
Configure the security policy.

Configuring user authentication for PPTP clients

To enable authentication for PPTP clients, you must create user accounts and a user group to identify the PPTP clients that need access to the network behind the FortiGate unit. Within the user group, you must add a user for each PPTP client.

You can choose to use a plain text password for authentication or forward authentication requests to an external RADIUS, LDAP, or TACACS+ server. If password protection will be provided through a RADIUS, LDAP, or TACACS+ server, you must configure the FortiGate unit to forward authentication requests to the authentication server.

This example creates a basic user/password combination.

Configuring a user account

To add a local user – web-based manager

1. Go to User & Device > User > User Definition and select Create New.

2. Select Local User

3. Enter a User Name.

4. Enter a Password for the user. The password should be at least six characters.

5. Select OK.

To add a local user – CLI

config user local edit <username>

set type password

set passwd <password>

end

Configuring a user group

To ease configuration, create user groups that contain users in similar categories or departments.

To create a user group – web-based manager

1. Go to User & Device > User > User Group and select Create New.

2. Enter a Name for the group.

3. Select the Type of Firewall.

4. From the Available Users list, select the required users and select the right-facing arrow to add them to the

Members list.

5. Select OK.

To create a user group – CLI

config user group edit <group_name>

set group-type firewall set member <user_names>

end

Enabling PPTP and specifying the PPTP IP address range

The PPTP address range specifies the range of addresses reserved for remote PPTP clients. When a PPTP client connects to the FortiGate unit, the client is assigned an IP address from this range. Afterward, the FortiGate unit uses the assigned address to communicate with the PPTP client.

The address range that you reserve can be associated with private or routable IP addresses. If you specify a private address range that matches a network behind the FortiGate unit, the assigned address will make the PPTP client appear to be part of the internal network.

PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address range is the range of addresses reserved for remote PPTP clients. When the remote PPTP client establishes a connection, the FortiGate unit assigns an IP address from the reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP address from the PPTP user group. If you use the PPTP user group, you must also define the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (web-based manager) or local-ip (CLI). The PPTP client uses the assigned IP address as its source address for the duration of the connection.

PPTP configuration is only available through the CLI. In the example below, PPTP is enabled with the use of an IP range of 182.168.1.1 to 192.168.1.10 for addressing and the user group is hr_staff.

The start and end IPs in the PPTP address range must be in the same 24-bit subnet, for example, 192.168.1.1 – 192.168.1.254.

config vpn pptp

set status enable set ip-mode range

set eip 192.168.1.10 set sip 192.168.1.1 set usrgrp hr_staff

end

In this example, PPTP is enabled with the use of a user group for addressing, where the IP address of the PPTP server is 192.168.1.2 and the user group is hr_admin.

config vpn pptp

set status enable set ip-mode range

set local-ip 192.168.2.1 set usrgrp hr_admin

end

Adding the security policy

The security policy specifies the source and destination addresses that can generate traffic inside the PPTP tunnel and defines the scope of services permitted through the tunnel. If a selection of services are required, define a service group.

To configure the firewall for the PPTP tunnel – web-based manager

1. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

2. Complete the following and select OK:

Incoming Interface The FortiGate interface connected to the Internet.

Source Address Select the name that corresponds to the range of addresses that you reserved for PPTP clients.

Outgoing Interface The FortiGate interface connected to the internal network.

Destination Address Select the name that corresponds to the IP addresses behind the FortiGate unit.

Schedule always

Service ALL

Action ACCEPT

To configure the firewall for the PPTP tunnel – CLI

config firewall policy or config firewall policy6 edit 1

set srcintf <interface to internet>

set dstintf <interface to internal network>

set srcaddr <reserved_range>

set dstaddr <internal_addresses>

set action accept set schedule always set service ALL

end

Configuring the FortiGate unit for PPTP VPN

To arrange for PPTP packets to pass through the FortiGate unit to an external PPTP server, perform the following tasks in the order given:

Configure user authentication for PPTP clients.
Enable PPTP on the FortiGate unit and specify the range of addresses that can be assigned to PPTP clients when they connect.
Configure PPTP pass through on the FortiGate unit.

Configuring the FortiGate unit for PPTP pass through

To forward PPTP packets to a PPTP server on the network behind the FortiGate unit, you need to perform the following configuration tasks on the FortiGate unit:

Define a virtual IP address that points to the PPTP server.
Create a security policy that allows incoming PPTP packets to pass through to the PPTP server.

The address range is the external (public) ip address range which requires access to the internal PPTP server through the FortiGate virtual port-forwarding firewall.

IP addresses used in this document are fictional and follow the technical doc- umentation guidelines specific to Fortinet. Real external IP addresses are not used.

Configuring a virtual IP address

The virtual IP address will be the address of the PPTP server host.

To define a virtual IP for PPTP pass through – web-based manager

1. Go to Policy & Objects > Objects > Virtual IPs.

2. Select Create New.

3. Choose the VIP Type.

4. Enter the name of the VIP, for example, PPTP_Server.

5. Select the External Interface where the packets will be received for the PPTP server.

6. Enter the External IP Address for the VIP.

7. Select Port Forwarding.

8. Set the Protocol to TCP.

9. Enter the External Service Port of 1723, the default for PPTP.

10. Enter the Map to Port to 1723.

11. Select OK.

To define a virtual IP for PPTP pass through – web-based manager

config firewall vip or config firewall vip6 edit PPTP_Server

set extintf <interface> set extip <ip_address> set portforward enable set protocol tcp

set extport 1723

set mappedport 1723

set mappedip <destination IP address range>

end

You can also use config firewall vip46 to define a virtual IP from an IPv4 address to an IPv6 address or config firewall vip64 to define a virtual IP from an IPv6 address to an IPv4 address.

Configuring a port-forwarding security policy

To create a port-forwarding security policy for PPTP pass through you must first create an address range reserved for the PPTP clients.

To create an address range – web-based manager

1. Go to Policy & Objects > Objects > Addresses and select Create New.

2. Select a Category.

3. Enter a Name for the range, for example, External_PPTP.

4. Select a Type of Subnet/IP Range.

5. Enter the IP address range.

6. Select the Interface to the Internet.

7. Select OK.

To create an address range – CLI

config firewall address OR config firewall address6 edit External_PPTP

end

set type ip_range

set start-ip <ip_address>

set end-ip <ip_address>

set associated-interface <internet_interface>

With the address set, you can add the security policy.

To add the security policy – web-based manager

1. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

2. Complete the following and select OK:

Incoming Interface The FortiGate interface connected to the Internet.

Source Address Select the address range created in the previous step.

Outgoing Interface The FortiGate interface connected to the PPTP server.

Destination Address Select the VIP address created in the previous steps.

Schedule always

Service PPTP

Action ACCEPT

To add the security policy – CLI

config firewall policy or config firewall policy6 edit <policy_number>

set srcintf <interface to internet>

set dstintf <interface to PPTP server>

set srcaddr <address_range>

set dstaddr <PPTP_server_address>

set action accept set schedule always set service PPTP

end

Testing PPTP VPN connections

To confirm that a PPTP VPN between a local network and a dialup client has been configured correctly, at the dialup client, issue a ping command to test the connection to the local network. The PPTP VPN tunnel initializes when the dialup client attempts to connect.

Logging VPN events

PPTP VPN, activity is logged when enabling VPN logging. The FortiGate unit connection events and tunnel status I thi(up/down) are logged.

To log VPN events

1. Go to Log & Report > Log Config > Log Settings.

2. Enable the storage of log messages to one or more locations.

3. Select VPN activity event.

4. Select Apply.

To view event logs

1. Go to Log & Report > Event Log > VPN.

2. If the option is available from the Log Type list, select the log file from disk or memory.

PPTP and L2TP

Leave a reply

PPTP and L2TP

A virtual private network (VPN) is a way to use a public network, such as the Internet, as a vehicle to provide remote offices or individual users with secure access to private networks. FortiOS supports the Point-to-Point Tunneling Protocol (PPTP), which enables interoperability between FortiGate units and Windows or Linux PPTP clients. Because FortiGate units support industry standard PPTP VPN technologies, you can configure a PPTP VPN between a FortiGate unit and most third-party PPTP VPN peers.

This section describes how to configure PPTP and L2TP VPNs as well as PPTP passthrough. This section includes the topics:

How PPTP VPNs work
FortiGate unit as a PPTP server
Configuring the FortiGate unit for PPTP VPN
Configuring the FortiGate unit for PPTP pass through
Testing PPTP VPN connections
Logging VPN events
Configuring L2TP VPNs
L2TP configuration overview

How PPTP VPNs work

The Point-to-Point Tunneling Protocol enables you to create a VPN between a remote client and your internal network. Because it is a Microsoft Windows standard, PPTP does not require third-party software on the client computer. As long as the ISP supports PPTP on its servers, you can create a secure connection by making relatively simple configuration changes to the client computer and the FortiGate unit.

PPTP uses Point-to-Point protocol (PPP) authentication protocols so that standard PPP software can operate on tunneled PPP links. PPTP packages data in PPP packets and then encapsulates the PPP packets within IP packets for transmission through a VPN tunnel.

When the FortiGate unit acts as a PPTP server, a PPTP session and tunnel is created as soon as the PPTP client connects to the FortiGate unit. More than one PPTP session can be supported on the same tunnel. FortiGate units support PAP, CHAP, and plain text authentication. PPTP clients are authenticated as members of a user group.

Traffic from one PPTP peer is encrypted using PPP before it is encapsulated using Generic Routing Encapsulation (GRE) and routed to the other PPTP peer through an ISP network. PPP packets from the remote client are addressed to a computer on the private network behind the FortiGate unit. PPTP packets from the remote client are addressed to the public interface of the FortiGate unit. Seethe figure below.

PPTP control channel messages are not authenticated, and their integrity is not pro- tected. Furthermore, encapsulated PPP packets are not cryptographically protected and may be read or modified unless appropriate encryption software such as Secure Shell (SSH) or Secure File Transfer Protocol (SFTP) is used to transfer data after the tunnel has been established.

As an alternative, you can use encryption software such as Microsoft Point-to-Point Encryption (MPPE) to secure the channel. MPPE is built into Microsoft Windows cli- ents and can be installed on Linux clients. FortiGate units support MPPE.

Packet encapsulation

Shown above, traffic from the remote client is addressed to a computer on the network behind the FortiGate unit. When the PPTP tunnel is established, packets from the remote client are encapsulated and addressed to the FortiGate unit. The FortiGate unit forwards disassembled packets to the computer on the internal network.

When the remote PPTP client connects, the FortiGate unit assigns an IP address from a reserved range of IP addresses to the client PPTP interface. The PPTP client uses the assigned IP address as its source address for the duration of the connection.

When the FortiGate unit receives a PPTP packet, the unit disassembles the PPTP packet and forwards the packet to the correct computer on the internal network. The security policy and protection profiles on the FortiGate unit ensure that inbound traffic is screened and processed securely.

PPTP clients must be authenticated before a tunnel is established. The authentication process relies on FortiGate user group definitions, which can optionally use estab- lished authentication mechanisms such as RADIUS or LDAP to authenticate PPTP cli- ents. All PPTP clients are challenged when a connection attempt is made.

Troubleshooting VLAN issues

1 Reply

Troubleshooting VLAN issues

Several problems can occur with your VLANs. Since VLANs are interfaces with IP addresses, they behave as interfaces and can have similar problems that you can diagnose with tools such as ping, traceroute, packet sniffing, and diag debug.

Asymmetric routing

You might discover unexpectedly that hosts on some networks are unable to reach certain other networks. This occurs when request and response packets follow different paths. If the FortiGate unit recognizes the response packets, but not the requests, it blocks the packets as invalid. Also, if the FortiGate unit recognizes the same packets repeated on multiple interfaces, it blocks the session as a potential attack.

This is asymmetric routing. By default, the FortiGate unit blocks packets or drops the session when this happens. You can configure the FortiGate unit to permit asymmetric routing by using the following CLI commands:

config system settings set asymroute enable

end

If VDOMs are enabled, this command is per VDOM. You must set it for each VDOM that has the problem as following:

config vdom

edit <vdom_name>

config system settings set asymroute enable

end end

If this solves your blocked traffic issue, you know that asymmetric routing is the cause. But allowing asymmetric routing is not the best solution, because it reduces the security of your network.

For a long-term solution, it is better to change your routing configuration or change how your FortiGate unit connects to your network.

If you enable asymmetric routing, antivirus and intrusion prevention systems will not be effective. Your FortiGate unit will be unaware of connections and treat each packet individually. It will become a stateless firewall.

set l2forward enable end

where <name_str> is the name of an interface.

If VDOMs are enabled, this command is per VDOM. You must set it for each VDOM that has the problem as following:

config vdom

edit <vdom_name>

config system interface edit <name_str>

set l2forward enable end

end

If you enable layer-2 traffic, you may experience a problem if packets are allowed to repeatedly loop through the network. This repeated looping, very similar to a broadcast storm, occurs when you have more than one layer-2 path to a destination. Traffic may overflow and bring your network to a halt. You can break the loop by enabling Spanning Tree Protocol (STP) on your network’s switches and routers. For more information, see “STP forwarding”.

ARP traffic

Address Resolution Protocol (ARP) packets are vital to communication on a network, and ARP support is enabled on FortiGate unit interfaces by default. Normally you want ARP packets to pass through the FortiGate unit, especially if it is sitting between a client and a server or between a client and a router.

ARP traffic can cause problems, especially in transparent mode where ARP packets arriving on one interface are sent to all other interfaces including VLAN subinterfaces. Some layer-2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. This instability can occur if the layer-2 switch does not maintain separate MAC address tables for each VLAN. Unstable switches may reset and cause network traffic to slow down considerably.

The default ARP timeout value is 5 minutes (300 seconds). So usually ARP entries are removed after 5 minutes. However, some conditions can cause arp entries to remain on the list for a longer time. This is not a configurable value. Enter the get system arp CLI command to view the ARP list.

Multiple VDOMs solution

By default, physical interfaces are in the root domain. If you do not configure any of your VLANs in the root VDOM, it will not matter how many interfaces are in the root VDOM.

The multiple VDOMs solution is to configure multiple VDOMs on the FortiGate unit, one for each VLAN. In this solution, you configure one inbound and one outbound VLAN interface in each VDOM. ARP packets are not forwarded between VDOMs. This configuration limits the VLANs in a VDOM and correspondingly reduces the administration needed per VDOM.

As a result of this configuration, the switches do not receive multiple ARP packets with duplicate MACs. Instead, the switches receive ARP packets with different VLAN IDs and different MACs. Your switches are stable.

However, you should not use the multiple VDOMs solution under any of the following conditions:

You have more VLANs than licensed VDOMs
You do not have enough physical interfaces

Instead, use one of two possible solutions, depending on which operation mode you are using:

In NAT mode, you can use the vlan forward CLI command.
In transparent mode, you can use the forward-domain CLI command. But you still need to be careful in some rare configurations.

Vlanforward solution

If you are using NAT mode, the solution is to use the vlanforward CLI command for the interface in question. By default, this command is enabled and will forward VLAN traffic to all VLANs on this interface. When disabled, each VLAN on this physical interface can send traffic only to the same VLAN. There is no cross-talk between VLANs, and ARP packets are forced to take one path along the network which prevents the multiple paths problem.

In the following example, vlanforward is disabled on port1. All VLANs configured on port1 will be separate and will not forward any traffic to each other.

config system interface edit port1

set vlanforward disable

end

Layer–2 and Arp traffic

By default, FortiGate units do not pass layer-2 traffic. If there are layer-2 protocols such as IPX, PPTP or L2TP in use on your network, you need to configure your FortiGate unit interfaces to pass these protocols without blocking. Another type of layer-2 traffic is ARP traffic.

You can allow these layer-2 protocols using the CLI command:

config system interface edit <name_str>

set l2forward enable end

where <name_str> is the name of an interface.

If VDOMs are enabled, this command is per VDOM. You must set it for each VDOM that has the problem as following:

config vdom

edit <vdom_name>

config system interface edit <name_str>

set l2forward enable end

end

ARP traffic

Multiple VDOMs solution

By default, physical interfaces are in the root domain. If you do not configure any of your VLANs in the root VDOM, it will not matter how many interfaces are in the root VDOM.

forwarded between VDOMs. This configuration limits the VLANs in a VDOM and correspondingly reduces the administration needed per VDOM.

However, you should not use the multiple VDOMs solution under any of the following conditions:

You have more VLANs than licensed VDOMs
You do not have enough physical interfaces

Instead, use one of two possible solutions, depending on which operation mode you are using:

In NAT mode, you can use the vlan forward CLI command.
In transparent mode, you can use the forward-domain CLI command. But you still need to be careful in some rare configurations.

Vlanforward solution

In the following example, vlanforward is disabled on port1. All VLANs configured on port1 will be separate and will not forward any traffic to each other.

config system interface edit port1

set vlanforward disable

end

Forward–domain solution

If you are using transparent mode, the solution is to use the forward-domain CLI command. This command tags VLAN traffic as belonging to a particular collision group, and only VLANs tagged as part of that collision group receive that traffic. It is like an additional set of VLANs. By default, all interfaces and VLANs are part of forward-domain collision group 0. The many benefits of this solution include reduced administration, the need for fewer physical interfaces, and the availability of more flexible network solutions.

In the following example, forward-domain collision group 340 includes VLAN 340 traffic on port1 and untagged traffic on port 2. Forward-domain collision group 341 includes VLAN 341 traffic on port 1 and untagged traffic on port 3. All other interfaces are part of forward-domain collision group 0 by default. This configuration separates VLANs 340 and 341 from each other on port 1, and prevents the ARP packet problems from before.

Use these CLI commands:

config system interface edit port1

edit port2

set forward_domain 340 next

edit port3

set forward_domain 341 next

edit port1-340

set forward_domain 340 set interface port1

set vlanid 340 next

edit port1-341

set forward_domain 341 set interface port1

set vlanid 341

end

You may experience connection issues with layer-2 traffic, such as ping, if your network configuration has:

Packets going through the FortiGate unit in transparent mode more than once
More than one forwarding domain (such as incoming on one forwarding domain and outgoing on another)
IPS and AV enabled.

Now IPS and AV is applied the first time packets go through the FortiGate unit, but not on subsequent passes. Only applying IPS and AV to this first pass fixes the network layer-2 related connection issues.

NetBIOS

Computers running Microsoft Windows operating systems that are connected through a network rely on a WINS server to resolve host names to IP addresses. The hosts communicate with the WINS server by using the NetBIOS protocol.

To support this type of network, you need to enable the forwarding of NetBIOS requests to a WINS server. The following example will forward NetBIOS requests on the internal interface for the WINS server located at an IP address of 192.168.111.222.

config system interface edit internal

set netbios_forward enable set wins-ip 192.168.111.222

end

These commands apply only in NAT mode. If VDOMs are enabled, these commands are per VDOM. You must set them for each VDOM that has the problem.

STP forwarding

The FortiGate unit does not participate in the Spanning Tree Protocol (STP). STP is an IEEE 802.1 protocol that ensures there are no layer-2 loops on the network. Loops are created when there is more than one route for traffic to take and that traffic is broadcast back to the original switch. This loop floods the network with traffic, reducing available bandwidth to nothing.

If you use your FortiGate unit in a network topology that relies on STP for network loop protection, you need to make changes to your FortiGate configuration. Otherwise, STP recognizes your FortiGate unit as a blocked link and forwards the data to another path. By default, your FortiGate unit blocks STP as well as other non-IP protocol traffic.

Using the CLI, you can enable forwarding of STP and other layer-2 protocols through the interface. In this example, layer-2 forwarding is enabled on the external interface:

config system interface

edit external

set l2forward enable set stpforward enable

end

By substituting different commands for stpforward enable, you can also allow layer-2 protocols such as IPX, PPTP or L2TP to be used on the network.

Too many VLAN interfaces

Any virtual domain can have a maximum of 255 interfaces in transparent mode. This includes VLANs, other virtual interfaces, and physical interfaces. NAT mode supports from 255 to 8192 depending on the FortiGate model. This total number of interfaces includes VLANs, other virtual interfaces, and physical interfaces.

Your FortiGate unit may allow you to configure more interfaces than this. However, if you configure more than 255 interfaces, your system will become unstable and, over time, will not work properly. As all interfaces are used, they will overflow the routing table that stores the interface information, and connections will fail. When you try to add more interfaces, an error message will state that the maximum limit has already been reached.

If you see this error message, chances are you already have too many VLANs on your system and your routing has become unstable. To verify, delete a VLAN and try to add it back. If you have too many, you will not be able to add it back on to the system. In this case, you will need to remove enough interfaces (including VLANs) so that the total number of interfaces drops to 255 or less. After doing this, you should also reboot your FortiGate unit to clean up its memory and buffers, or you will continue to experience unstable behavior.

To configure more than 255 interfaces on your FortiGate unit in transparent mode, you have to configure multiple VDOMs, each with many VLANs. However, if you want to create more than the default 10 VDOMs (or a maximum of 2550 interfaces), you must buy a license for additional VDOMs and your FortiGate must be able to be licensed for more than 10 VDOMs.

With these extra licenses, you can configure up to 500 VDOMs, with each VDOM containing up to 255 VLANs in transparent mode. This is a theoretical maximum of over 127 500 interfaces. However, system resources will quickly get used up before reaching that theoretical maximum. To achieve the maximum number of VDOMs, you need to have top-end hardware with the most resources possible.

In NAT mode, if you have a top-end model, the maximum interfaces per VDOM can be as high as 8192, enough for all the VLANs in your configuration.

Your FortiGate unit has limited resources, such as CPU load and memory, that are divided between all configured VDOMs. When running 250 or more VDOMs, you may need to monitor the system resources to ensure there is enough to support the con- figured traffic processing.

VLANs in transparent mode

1 Reply

VLANs in transparent mode

In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide services such as antivirus scanning, web filtering, spam filtering and intrusion protection to traffic. There are some limitations in transparent mode in that you cannot use SSL VPN, PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent mode apply to IEEE 802.1Q VLAN trunks passing through the unit.

VLANs and transparent mode

You can insert the FortiGate unit operating in transparent mode into the VLAN trunk without making changes to your network. In a typical configuration, the FortiGate unit internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal network VLANs. The FortiGate external interface forwards VLAN-tagged packets through another VLAN trunk to an external VLAN switch or router and on to external networks such as the Internet. You can configure the unit to apply different policies for traffic on each VLAN in the trunk.

To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same VLAN ID, one to the internal interface and the other to the external interface. You then create a security policy to permit packets to flow from the internal VLAN interface to the external VLAN interface. If required, you create another security policy to permit packets to flow from the external VLAN interface to the internal VLAN interface. Typically in transparent mode, you do not permit packets to move between different VLANs. Network protection features, such as spam filtering, web filtering and anti-virus scanning, are applied through the UTM profiles specified in each security policy, enabling very detailed control over traffic.

When the FortiGate unit receives a VLAN-tagged packet at a physical interface, it directs the packet to the VLAN subinterface with the matching VLAN ID. The VLAN tag is removed from the packet, and the FortiGate unit then applies security policies using the same method it uses for non-VLAN packets. If the packet exits the FortiGate unit through a VLAN subinterface, the VLAN ID for that subinterface is added to the packet and the packet is sent to the corresponding physical interface.

There are two essential steps to configure your FortiGate unit to work with VLANs in transparent mode:

Add VLAN subinterfaces
Create security policies

You can also configure the protection profiles that manage antivirus scanning, web filtering and spam filtering. For more information on UTM profiles, see the UTM Guide.

Add VLAN subinterfaces

The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4094, with 0 being used only for high priority frames and 4095 being reserved. You add VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.

For this example, we are creating a VLAN called internal_v225 on the internal interface, with a VLAN ID of 225. Administrative access is enabled for HTTPS and SSH. VDOMs are not enabled.

To add VLAN subinterfaces in transparent mode – web-based manager

1. Go to System > Network > Interface.

2. Select Create New.

3. Enter the following information and select OK.

Name internal_v225

Type VLAN

Interface internal

VLAN ID 225

Administrative Access Enable HTTPS, and SSH. These are very secure access methods.

Comments VLAN 225 on internal interface

The FortiGate unit adds the new subinterface to the interface that you selected.

Repeat steps 2 and 3 to add additional VLANs. You will need to change the VLAN ID, Name, and possibly Interface when adding additional VLANs.

To add VLAN subinterfaces in transparent mode – CLI

config system interface edit internal_v225

set interface internal set vlanid 225

set allowaccess HTTPS SSH

set description “VLAN 225 on internal interface”

set vdom root

end

Create security policies

In transparent mode, the FortiGate unit performs antivirus and antispam scanning on each VLAN’s packets as they pass through the unit. You need security policies to permit packets to pass from the VLAN interface where they enter the unit to the VLAN interface where they exit the unit. If there are no security policies configured, no packets will be allowed to pass from one interface to another.

To add security policies for VLAN subinterfaces – web based manager

1. Go to Policy & Objects > Objects > Addresses.

2. Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets.

3. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

4. From the Incoming Interface/Zone list, select the VLAN interface where packets enter the unit.

5. From the Outgoing Interface/Zone list, select the VLAN interface where packets exit the unit.

6. Select the Source and Destination Address names that you added in step 2.

7. Select OK.

To add security policies for VLAN subinterfaces – CLI

config firewall address

edit incoming_VLAN_address

set associated-interface <incoming_VLAN_interface>

set type ipmask

set subnet <IPv4_address_mask)

edit outgoing_VLAN_address

set associated-interface <outgoing_VLAN_interface>

set type ipmask

set subnet <IPv4_address_mask>

end

config firewall policy or config firewall policy6 edit <unused_policy_number>

set srcintf <incoming_VLAN_interface>

set srcaddr incoming_VLAN_address

set destintf <outgoing_VLAN_interface>

set destaddr outgoing_VLAN_address set schedule always

set service <protocol_to_allow_on VLAN>

set action ACCEPT

next end

Example of VLANs in transparent mode

In this example, the FortiGate unit is operating in transparent mode and is configured with two VLANs: one with an ID of 100 and the other with ID 200. The internal and external physical interfaces each have two VLAN subinterfaces, one for VLAN_100 and one for VLAN_200.

The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the internal VLAN_200 network is 10.200.0.0/255.255.0.0.

The internal networks are connected to a Cisco 2950 VLAN switch, which combines traffic from the two VLANs onto one in the FortiGate unit internal interface. The VLAN traffic leaves the FortiGate unit on the external network interface, goes on to the VLAN switch, and on to the Internet. When the FortiGate units receives a tagged packet, it directs it from the incoming VLAN subinterface to the outgoing VLAN subinterface for that VLAN.

This section describes how to configure a FortiGate-800 unit, Cisco switch, and Cisco router in the network topology shown below.

VLAN transparent network topology

General configuration steps

The following steps summarize the configuration for this example. For best results, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Configure the FortiGate unit which includes

Adding VLAN subinterfaces
Adding the security policies

2. Configure the Cisco switch and router

Configure the FortiGate unit

The FortiGate unit must be configured with the VLAN subinterfaces and the proper security policies to enable traffic to flow through the FortiGate unit.

Add VLAN subinterfaces

For each VLAN, you need to create a VLAN subinterface on the internal interface and another one on the external interface, both with the same VLAN ID.

To add VLAN subinterfaces – web-based manager

1. Go to System > Network > Interface.

2. Select Create New.

3. Enter the following information and select OK:

Name VLAN_100_int

Interface internal

VLAN ID 100

4. Select Create New.

5. Enter the following information and select OK:

Name VLAN_100_ext

Interface external

VLAN ID 100

6. Select Create New.

7. Enter the following information and select OK:

Name VLAN_200_int

Interface internal

VLAN ID 200

8. Select Create New.

9. Enter the following information and select OK:

Name VLAN_200_ext

Interface external

VLAN ID 200

To add VLAN subinterfaces – CLI

config system interface edit VLAN_100_int

set status down set type vlan

set interface internal set vlanid 100

edit VLAN_100_ext set status down set type vlan

set interface external set vlanid 100

edit VLAN_200_int set status down set type vlan

set interface internal set vlanid 200

edit VLAN_200_ext set status down set type vlan

set interface external set vlanid 200

end

Add the security policies

Security policies allow packets to travel between the VLAN_100_int interface and the VLAN_100_ext interface. Two policies are required; one for each direction of traffic. The same is required between the VLAN_200_int interface and the VLAN_200_ext interface, for a total of four required security policies.

To add the security policies – web-based manager

1. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

2. Enter the following information and select OK:

Incoming Interface VLAN_100_int

Source Address all

Outgoing Interface VLAN_100_ext

Destination Address all

Schedule Always

Service ALL

Action ACCEPT

3. Select Create New.

4. Enter the following information and select OK:

Incoming Interface VLAN_100_ext

Source Address all

Outgoing Interface VLAN_100_int

Destination Address all

Schedule Always

Service ALL

Action ACCEPT

5. Go to Policy & Objects > Policy > IPv4 or Policy & Objects > Policy > IPv6 and select Create New.

6. Enter the following information and select OK:

Incoming Interface VLAN_200_int

Source Address all

Outgoing Interface VLAN_200_ext

Destination Address all

Schedule Always

Service ALL

Action ACCEPT

Enable NAT Enable

7. Select Create New.

8. Enter the following information and select OK:

Incoming Interface VLAN_200_ext

Source Address all

Outgoing Interface VLAN_200_int

Destination Address all

Schedule Always

Service ALL

Action ACCEPT

To add the security policies – CLI

config firewall policy or config firewall policy6 edit 1

set srcintf VLAN_100_int set srcaddr all

set dstintf VLAN_100_ext set dstaddr all

set action accept set schedule always set service ALL

next edit 2

set srcintf VLAN_100_ext set srcaddr all

set dstintf VLAN_100_int set dstaddr all

set action accept set schedule always set service ALL

next edit 3

set srcintf VLAN_200_int

set srcaddr all

set dstintf VLAN_200_ext set dstaddr all

set action accept set schedule always set service ALL

next edit 4

set srcintf VLAN_200_ext set srcaddr all

set dstintf VLAN_200_int set dstaddr all

set action accept set schedule always set service ALL

end

Configure the Cisco switch and router

This example includes configuration for the Cisco Catalyst 2900 ethernet switch, and for the Cisco Multiservice 2620 ethernet router. If you have access to a different VLAN enabled switch or VLAN router you can use them instead, however their configuration is not included in this document.

Configure the Cisco switch

On the VLAN switch, you need to define VLAN_100 and VLAN_200 in the VLAN database and then add a configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface.

Add this file to the Cisco switch:

interface FastEthernet0/3 switchport access vlan 100

interface FastEthernet0/9 switchport access vlan 200

interface FastEthernet0/24

switchport trunk encapsulation dot1q switchport mode trunk

The switch has the following configuration:

Port 0/3 VLAN ID 100

Port 0/9 VLAN ID 200

Port 0/24 802.1Q trunk

Configure the Cisco router

You need to add a configuration file to the Cisco Multiservice 2620 ethernet router. The file defines the VLAN subinterfaces and the 802.1Q trunk interface on the router. The 802.1Q trunk is the physical interface on the router.

The IP address for each VLAN on the router is the gateway for that VLAN. For example, all devices on the internal VLAN_100 network will have 10.100.0.1 as their gateway. Add this file to the Cisco router:

interface FastEthernet0/0

interface FastEthernet0/0.1 encapsulation dot1Q 100

ip address 10.100.0.1 255.255.255.0

interface FastEthernet0/0.2 encapsulation dot1Q 200

ip address 10.200.0.1 255.255.255.0

The router has the following configuration:

Port 0/0.1 VLAN ID 100

Port 0/0.2 VLAN ID 200

Port 0/0 802.1Q trunk

Test the configuration

Use diagnostic network commands such as traceroute (tracert) and ping to test traffic routed through the network.

Testing traffic from VLAN_100 to VLAN_200

In this example, a route is traced between the two internal networks. The route target is a host on VLAN_200. The Windows traceroute command tracert is used.

From VLAN_100, access a Windows command prompt and enter this command:

C:\>tracert 10.1.2.2

Tracing route to 10.1.2.2 over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 10.1.1.1

2 <10 ms <10 ms <10 ms 10.1.2.2

Trace complete.